There's no reason I can imagine not to open a JIRA, basically anyone willing to create a patch has my vote!
bq. I'm a bit worried that adding certAlias to jetty-ssl.xml might break existing setups which don't use an alias. Probably just add a note to the upgrade section of CHANGES.txt, unless others disagree. I confess knowing very little about the mechanics here. BTW, don't know if you're familiar with asciidoc but in case not I wanted to mention that there's an IntelliJ (and, I assume Eclipse) plugin showing you the rendering, and you can also use Atom. Best, Erick On Wed, Oct 31, 2018 at 7:41 AM Bram Van Dam <[email protected]> wrote: > > Hey folks, > > Context: > There's a jetty-ssl.xml config file which configures Jetty's > SslContextFactory using properties set in solr.in.sh, but it's > incomplete for some purposes. > > Problem: > I've noticed that no "certAlias" property is present. This means that > when Jetty starts, it will pick an arbitrary (based on some internal > order, I guess?) key from the keystore to use. This is fine when you're > only using your keystore for Solr and it only contains one key, but it > makes life a lot more complicated in environments where keystores are > managed and distributed to servers automagically. > > When you add a key to the keystore, you can assign an alias. Jetty can > then use the key with that alias by means of its certAlias config property. > > The Solr documentation [1] confusingly assigns the alias "solr-ssl" to > the key, but as far as I can tell this alias isn't actually used or > referenced anywhere else. > > Solution: > I'm currently dealing with a slightly more complicated TLS setup, so I > propose I patch jetty-ssl.xml, solr.in.sh|cmd and enabling-ssl.adoc to > (optionally) use the alias? Unless someone can think of a reason why I > shouldn't do this? > > I'm a bit worried that adding certAlias to jetty-ssl.xml might break > existing setups which don't use an alias, but I'm guessing that only > keystores with more than one key will be affected? > > - Bram > > [1] https://lucene.apache.org/solr/guide/7_5/enabling-ssl.html > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
